Does Matomo Tracker have any unpatched vulnerabilities?

No. All known vulnerabilities in Matomo Tracker have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Matomo Tracker compatible with WordPress 6.9.4?

According to WordPress.org data, Matomo Tracker 1.4.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Matomo Tracker compatible with PHP 8.0+?

Matomo Tracker requires PHP 8.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Matomo Tracker updated?

Matomo Tracker was last updated on Dec 31, 2025. Frequent updates are generally a positive security signal.

What is Matomo Tracker's security score?

Matomo Tracker has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Matomo Tracker Security & Risk Analysis

wordpress.org/plugins/matomo-analytics

The easiest way to track visitors in Matomo. No nonsense, just stats!

100 active installs v1.4.1 PHP 8.0+ WP 5.8+ Updated Dec 31, 2025

analyticsmatomostatstrackerweb-stats

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Matomo Tracker Safe to Use in 2026?

Generally Safe

Score 100/100

Matomo Tracker has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 3mo ago

Risk Assessment

The matomo-analytics v1.4.1 plugin demonstrates a generally strong security posture based on the provided static analysis. The absence of any AJAX handlers, REST API routes, shortcodes, or cron events significantly limits the potential attack surface. Furthermore, the plugin utilizes prepared statements for all its SQL queries and does not appear to perform any file operations or external HTTP requests, which are common vectors for vulnerabilities. The presence of nonce checks is also a positive indicator of security awareness.

However, a notable concern arises from the output escaping. With 33 total outputs, only 36% are properly escaped, leaving a substantial portion vulnerable to Cross-Site Scripting (XSS) attacks. This lack of robust output sanitization is the primary risk identified in the code analysis. The taint analysis reveals no critical or high severity unsanitized flows, and the vulnerability history is clean, with no recorded CVEs. This history, while positive, could also indicate a lack of past vulnerabilities rather than absolute long-term security, especially when coupled with the identified output escaping issues.

In conclusion, while the plugin excels in minimizing its attack surface and secure database interactions, the significant percentage of unescaped output presents a clear and present risk of XSS vulnerabilities. The absence of past CVEs is encouraging but should not overshadow the current code-level concerns. Addressing the output escaping issues should be a priority to improve the plugin's overall security.

Key Concerns

Low output escaping percentage

Vulnerabilities

None known

Matomo Tracker Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Matomo Tracker Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

12 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

36% escaped33 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

ajdg_matomo_save_settings (ajdg-matomo-tracker-functions.php:68)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Matomo Tracker Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 9

actioninitajdg-matomo-tracker.php:37

actionwp_footerajdg-matomo-tracker.php:41

filterpost_linkajdg-matomo-tracker.php:43

filterthe_contentajdg-matomo-tracker.php:45

actionadmin_menuajdg-matomo-tracker.php:51

actionadmin_print_stylesajdg-matomo-tracker.php:52

actionadmin_noticesajdg-matomo-tracker.php:53

filterplugin_row_metaajdg-matomo-tracker.php:54

actioninitajdg-matomo-tracker.php:56

Maintenance & Trust

Matomo Tracker Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 31, 2025

PHP min version8.0

Downloads6K

Community Trust

Rating90/100

Number of ratings2

Active installs100

Alternatives

Matomo Tracker Alternatives

Connect Matomo – Analytics Dashboard for WordPress

wp-piwik

Adds Matomo (former Piwik) statistics to your WordPress dashboard and is also able to add the Matomo Tracking Code to your blog.

60K 5 CVEs

Web-Stat

web-stat

Free, real-time stats for your web site with full visitors details. Add Web-Stat in just one click and check out your site's activity, live!

6K 1 CVE

Trace My IP – Visitor IP Tracker, Stats Analytics & Page Views Counter with Email Alerts

tracemyip-visitor-analytics-ip-tracking-control

100

Comprehensive visitor IP tracking and website analytics solution with real-time statistics, page view counting, and customizable email alerts.

1K No CVEs

Simple Matomo Tracking Code

simple-matomo-tracking-code

This unofficial plugin adds the Matomo Web Analytics javascript code into the footer of your website. It has several useful options.

900 1 CVE

WP Statistics – Simple, privacy-friendly Google Analytics alternative

wp-statistics

Get website traffic insights with GDPR/CCPA compliant, privacy-friendly analytics. Includes visitor data, stunning graphs, and no data sharing.

600K 35 CVEs

Developer Profile

Matomo Tracker Developer Profile

Arnan de Gans

6 plugins · 23K total installs

trust score

Avg Security Score

95/100

Avg Patch Time

1353 days

View full developer profile

Detection Fingerprints

How We Detect Matomo Tracker

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ